Cybersecurity and mental health: How are you really doing?

We want to know how you are. Not just the standard “Good thanks, you?” – but how you’re really doing. Because if you work in cybersecurity, you’re handling stress from a number of different angles every day; and there’s a reasonable chance you don’t manage to disconnect and recuperate at the weekend either.

Cybersecurity has always had an inextricable relationship with stress and pressure. But the stakes have skyrocketed over the last few years. Resources are stretched thin and the sheer pace of it all leaves little room to breathe. And the emotional toll of defending organisations 24/7, with minimal recognition or rest, is quietly wearing practitioners down. 

A silent crisis in cybersecurity 

According to a 2023 ISC² survey, nearly half of cybersecurity professionals report experiencing symptoms of burnout, and over 60% feel emotionally drained by their roles. That’s not just a stat to gloss over – it’s a warning sign.

Dr. Leila Taghizadeh (CISO for IberoLatAm and Global Head of Cyber Risk at Allianz) has watched this play out over years in the industry.

“Without a doubt, burnout and stress are massive issues in the cybersecurity space,” she says. “It’s no longer a question of ‘if’ there will be a new threat – it’s a constant stream of high-stakes situations, where even a single oversight can have disastrous consequences.”

It’s that constant pressure that wears people down. You might be great at incident response or GRC or red teaming, but that doesn’t mean your nervous system is equipped to handle a nonstop stream of adrenaline-pumping alerts, late-night threat intel updates, and the lingering sense that you're one misstep away from catastrophe.

“Cybersecurity professionals are the frontline defense,” Taghizadeh continues. “And that responsibility is heavy. The demands only seem to grow as threats evolve.”

Always ‘on’ but always behind

One of the most common stressors in the field is the speed at which the threat landscape changes. Malware variants, zero-day exploits, deepfakes, AI-powered phishing – it’s relentless. You patch one vulnerability, and three more appear. 

“What was secure yesterday could be a vulnerability tomorrow,” Taghizadeh explains. “Cybersecurity is a 24/7 operation. Even when you're not on the front lines, you're watching the news, evaluating new threats, and wondering how they might impact your systems. It's a role that never really allows you to switch off.”

And then there's the staffing problem. According to Cybersecurity Ventures, the global cybersecurity workforce gap is projected to hit 3.5 million unfilled jobs by 2025. That signals even more pressure for practitioners already working in the field; at a time when they very much need a break. 

“Staff shortages amplify the problem. Long hours, minimal downtime, and overwhelming workloads create a situation where burnout feels inevitable,” Taghizadeh says. “It’s a vicious cycle – understaffed teams, higher stress, more burnout, and ultimately, more exposure to risk.”

The cost of burnout ripples across organisations 

The effects of burnout aren’t confined to individual professionals. It has a ripple effect across organisations and industries. 

Exhausted teams are more prone to mistakes. They might miss early warning signs or take longer to respond to critical incidents. People disengage, employee churn rises, and institutional knowledge decreases. While all of this is happening, attackers don’t rest – they’re still looking for vulnerabilities, and discovering new entry points through human error and poorly maintained systems. 

“Disengagement leads to exposure,” says Taghizadeh. “And exposure leads to risk.”

We don’t want to minimise how important it is on a human level that cybersecurity doesn’t cause poor mental health. But it’s still worth noting that stressed, disengaged cybersecurity practitioners are a mission-critical security issue. If we ignore the human factor, we put entire organisations at risk.

Redefining resilience: The power of purpose and presence 

All of this leads to the question: What can we actually do? 

As a starting point, we need to stop pretending that mental health is a ‘nice to have’ in cybersecurity. It’s a strategic imperative. That means we have to normalise rest. It means we have to build flexible schedules. It means mental health resources need to be embedded in security teams (not just EAPs buried in the company intranet). 

And it also means creating room for reflection and purpose.

“Focusing on the purpose of why you're doing a certain job automatically drives you to take care of your well-being,” says Abeer Khedr (CISO at the National Bank of Egypt). “You’ll eat right, stay active, nurture your mental health – because you know you need clarity of thought to solve problems.”

For Khedr, that clarity comes through faith, family, and a connection to nature. She finds calm in community work and in the simple act of gardening.

“I plant flowers. I enjoy their smell, their colours. I learn patience waiting for them to blossom,” she says. “It’s very calming.”

Her advice to cybersecurity newcomers is refreshing: don’t obsess over drawing rigid lines between work and personal life. Instead, aim for integration. Find meaning in the everyday. Be grateful for the work you get to do.

“It’s one life,” she says. “Work and personal are just different aspects of it.”

Could zen help? 

Lance James (Founder of Unit 221b), takes a philosophical approach rooted in Zen. He draws inspiration from the book Zen Mind, Beginner’s Mind by Shunryu Suzuki.

“The principle of approaching everything as if it’s our first time – even if we’ve done it a thousand times before – resonates deeply with me,” he says. “It reminds us to be fully present, open to new opportunities, and eager to learn.”

In a field plagued by imposter syndrome and constant comparison, that mindset is a breath of fresh air. It’s a call to reconnect with the curiosity that brought many of us into cybersecurity in the first place.

“Zen is about mastering oneself,” Lance adds. “It allows me to see the world as it truly is, to be present in everyday moments, and to lead with compassion.”

Make mental health visible in cybersecurity 

Ultimately, part of the solution is cultural. Cybersecurity professionals do invisible, preventative work. And when that work is effective, it often goes unnoticed.

“Recognition is critical,” says Taghizadeh. “Teams need to feel valued for the work they do every day – not just when there’s a breach.”

As well as recognising the critical work that cybersecurity practitioners do, let’s also start recognising that mental health is a core part of cybersecurity resilience. Let’s support each other. Let’s celebrate the quiet victories. And most importantly – let’s ask the question, often and honestly:

How are you, really? 

Because the only way to build strong defenses is to take care of the defenders too.